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Abstract 

We present a primality proving algorithm for Proth numbers. The 
algorithm is deterministic without assuming any unproven hypothesis. 
For some cases, the expected running time and the worst case running 
time of the algorithm are 0(log 2 N) and 0(log 3 N) bit operations, 
respectively. 

1 Introduction 

A Proth number is a positive integer of the form 

N = 2 e • t + 1 for some odd t with 2 e > t > 0. (1.1) 

In 1878, a self-taught farmer, Frangois Proth, proved Theorem 11.1 1 below . As 
a consequence, the primality of Proth numbers can be decided by a simple, 
fast probabilistic primality test, called Proth's test, which randomly chooses 
an integer a (mod N) and then compute b = a^ -1 )/ 2 (mod N). If b = 
— 1 (mod N), then iV is a prime by Theorem I l.li If 6 2 ^ 1 (mod N), then 
N is composite by Fermat's Little Theorem. However, if b = 1 (mod N), 
the primality of N remains unknown. In the case that b = — 1 (mod N), the 
choosen a is a quaduatic nonresidue mod N. Therefore, when ./V is prime, 
Proth's test has | probability being able to return N prime. 

Theorem 1.1 (Proth's Theorem). Let N be a Proth number defined in 
(U\). If 

a (N-l)/2 = _ x ^ mod N ^ ( L2 ) 

for some a, then N is a prime. 

See [T2] for a proof of Theorem 11.11 
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Theorem 1.2. Let N be a Proth number defined in M.l\) . There is a deter- 
ministic algorithm deciding the primality of N . The expected running time 
and the worst case running time of the algorithm are 

6{(t log t + log N) log N) 

and 

0({tlogt + logN) log 2 N) 
bit operations, respectively. 

In this paper, we prove Theorem 11.21 by showing Algorithm 14.11 When 
t is O(logiV), the expected running time and the worst case running time 
are 0(log 2 N) and 0(log 3 N) bit operations, respectively. To the best of our 
knowledge, Algorithm 14.11 is the fastest among all the known deterministic 
primality proving algorithms which are applicable in this case. The running 
time of AKS [2] and Lenstra-Pomerance's modified AKS algorithm [7] are 
0(log 7 ' 5 N) and 0(log 6 N), respectively. Adleman-Pomerance-Rumely pQ 
runs in sub-exponential time. All the algorithms mentioned above have 
been proven unconditionally to be deterministic. With extra assumptions 
such as the Extended Riemann Hypothesis, we have the following results: 
The elliptic curve primality proving algorithm [4j [6] runs in O (log 5 AO. The 
running time of Miller's algorithm [9] is (9(log 4 N). AKS can be improved 
[5j [8] to 0(log 4 N). Proth's test becomes deterministic and the running 
time is 0(log 4 N) since it only has to check congruence equation (|1.2p with 
2 < a < k, where k is 0(log 2 N) by the results from Ankeny [3]. 

We present the basic algorithm and the proof of it in Section [2] and 
Section [31 respectively. In Section HI we improve the expected running time 
by randomization. 

2 Deterministic Primality Proving 

Let iV > 3 be a Proth number defined in (jl.ip . We present a deterministic 
primality proving algorithm, Algorithm 12. 1\ for this form of numbers in this 
section. The correctness proof and the running time analysis will be shown 
in the next section. 

Denote a fixed square root of x modulo N by y/x (mod N). 

Algorithm 2.1 (Deterministic Primality Proving). The input is N > 3, 
a Proth number defined in This algorithm returns PRIME if N is a 

prime. Otherwise, it returns COMPOSITE. 
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I. Try finding = y—T (mod TV) by Algorithm 12,21 

If Algorithm 12.21 halts due to iV composite, return COMPOSITE. 

II. For each (3 < j < e) { 

Try computing aj = yjdj-i (mod N) by Algorithm 13.31 
If Algorithm 13.31 halts due to N composite, 
return COMPOSITE. 

} 

III. Return PRIME. 

We discuss the first step below and the second step, the crucial step of 
Algorithm l2.il in the next section. 

Step I can be computed as follows: Suppose N is a prime. Let H be the 
subgroup of with 2t elements, where denotes the multiplicative group 
of the finite field with N elements. For 1 < i < 2t + 1, there exists i ^ H. 
We have i 2t ^ 1 (mod N). If i 2 1 = —1 (mod N) for some 1 < k < e — 1, 
then i 2k ~ H = yf^l (mod N). 

Suppose N is a prime or a composite number. If j 2t = 1 (mod N) for 
all 1 < j < 2i + 1, we deduce that N is composite since there are 2t + 1 
elements with order dividing 2t. For some 1 < i < 2t + l, if i 2t ^ 1 (mod iV) 
but i 2kt ^ — 1 (mod N) for all 1 < k < e — 1, then either 

(1) i 2H ^ 1 (mod JV), or 

(2) i 2kt ^ ±1 (mod N) and i 2k+lf = 1 (mod N) for some 1 < k < e — 1. 

In case (1), N is composite by Fermat's Little Theorem. In case (2), 
gcd(i 2fe * — 1, N) is a non-trivial factor of N and so N is composite. 

Algorithm 2.2 (Computing \J— 1 (mod N)). The input is N = 2 e t + 1 for 

some integer e > 1 and odd t. If N is a prime, this algorithm returns 
(mod N). Otherwise, this algorithm either returns an integer congruent to 
v 7 — 1 (mod N) or halts due to N composite. 

LI. Compute bj = j 2t (mod N) for 1 < j < 2t + 1. 

1.2. If 6j = 1 (mod N) for all 1 < j < 2t + 1, 
halt due to iV composite. 

1.3. Suppose bi j£ 1 (mod A 7 ") for some 1 < i < 2t + 1. 
Compute bf (mod A") for < k < e - 2. 
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1.4. If bf £ -1 (mod N) for all < k < e - 2, 
halt due to iV composite. 

1.5. Suppose bf k ° = —1 (mod N) for some < k < e — 2. 
Return i 2 * * (mod N). 

Algorithm 12.21 runs in 

6{(t log t + log N) log N) 

bit operations since steps I.l, 1.2 take 0(i log flog N) bit operations and 
steps 1.3, 1.4, 1.5 take 0(e log N) = 0(log 2 N). 

3 Taking Square Roots 

Given y— T (mod N), a square root of a fixed value, we show how to com- 
pute the square roots of an arbitrary value when A^ is a prime. For more 
details of computing square roots with this idea, see [TT] and |10| . 

Suppose A^ is a prime for the following. Given a quadratic residue f3 
(mod N) with 1 < (3 < N — 1, we are going to find a square root of j3 
modulo N. Suppose 

(3 = a 2 (mod N) for some integer a. 

Define two sets G' a and G a as 

G' a = {[a] : a^±a (mod A^)} , and (3.1) 
G a = G^U{[oo]}. (3.2) 

We denote the elements in G a by [ • ] for avoiding confusion with the elements 
in Z, where 

Z = ZU{oo}, (3.3) 

where Z is the set of integers. Two elements [oi] , [02] E G' a are equal if and 
only if a\ = a<i (mod N). Therefore, there are exactly N — 2 and A^ — 1 
elements in G' a and G a , respectively. 

Further, define an operator * as following: For any [a] E G a and any 



M , [0.2] E G' a with ai + a 2 ^ (mod N), 

[a] * [00] = [00] * [a] = [a] , (3.4) 

M * [-ai] = M , (3.5) 

[ai]*[a 2 ] = [(a 1 a 2 + a 2 )(ai + a 2 y 1 ] , (3.6) 
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where x~ l denotes the multiplicative inverse of x (mod N) for integer x 
with gcd(x, N) = 1. Interestingly, (G a ,*) is a well-defined group, which is 
isomorphic to F^. 

Proposition 3.1. When N is prime, (G a ,*) is isomorphic to FjS. 
Proof. Define a bijective mapping 

ip : G a — >F*, [oo] i — > 1, [a] i — > (a + a) (a - a)' 1 (3.7) 
with inverse mapping 

^iWff—tGa, 1m[oo], &.—►[<*(& + lXb-l)" 1 ]. (3.8) 
A straightforward calculation shows that ip is a homomorphism. □ 

In the rest of the paper, we drop the symbol * and denote the group op- 
eration of G a by multiplication. Algorithm 13.21 below shows how to perform 
the group operation. In the algorithm, the integer N may be a prime or a 
composite number since the algorithm is going to be used for deciding the 
primality of N. 

Algorithm 3.2 (Group Operation). The inputs are N, (3 € Z and ai, a>i E Z 
such that < /3 < N and either ai = oo or af ^ /3 (mod N) for i = 1,2. If 
N is a prime, the input f3 is guaranteed to be a quadratic residue modulo N 
and this algorithm returns a £ Z such that [a] = [ai] [02] £ G a . Otherwise, 
this algorithm either returns some a' £ Z or halts due to N composite. 

1. If a\ = 00, return 02- 

2. If a2 = 00, return a±. 

3. If a\ + a2 = (mod N), return 00. 

4. If gcd(ai + aii N) 7^ 1, halt due to N composite. 

5. Compute a = (0102 + /3)(ai + 02) _1 (mod JV). 

6. If a 2 = /3 (mod N), halt due to N composite. 
Otherwise, return a. 

Algorithm 13.21 basically follows the group operation definitions (I3.4p . 
(|3.5p and (I3.6p . It also handles the case if N is a composite number. In such 
case, G a is no longer a well-defined group. If the algorithm halts in Step 



5 



4, a non-trivial factor of N is discovered and so N is a composite number. 
If it halts in Step 6, we have (0,102 + (3) 2 = (3{a\ + a^) 2 (mod N), which 
implies (a 2 - j3)(a% - f3) = (mod TV). Since a 2 ^ (3 (mod iV) for i = 1,2 
by the assumption, a 2 — f3 and a| — /3 are zero divisors, which means that 
A is composite. Note that the value of a is not required in Algorithm 13.21 
Equipped with G a and Algorithm 13.21 we are ready to describe how to 
compute square roots modulo N, which is the main ingredient of the Step 
II in Algorithm 12.11 In Algorithm 13.31 below, the notation [x] y means using 
Algorithm 13.21 and the successive squaring method to compute [x] to the 
power y. Algorithm 13.31 halts due to N composite as soon as Algorithm 13.21 
does, if it is the case. 

Algorithm 3.3 (Taking Square Root Modulo N). The inputs are integers 
N, j3 and b such that 1 < /3 < N — 1 and b 2 = -1 (mod N), where N = 
2 e t + 1 for some integer e > 1 and odd t as before. If N is a prime, the 
input (3 is guaranteed to be a quadratic residue modulo N and this algorithm 
returns yT? (mod N) . If N is a composite number, this algorithm either 
returns an integer congruent to \ffi (mod N) or halts due to N composite. 

II. 1. Check easy cases: 

(a) If gcd(6 + 1, N) 7^ 1, halt due to composite. 

(b) If j 2 = (3 (mod N) for some 1 < j < 2t, return j. 

11. 2. Find [a] such that [a] 2 7^ [00] and [a] 4 = [00] as below: 

(a) Compute [cj] = \j] 2t for 1 < j < 2t. 

(b) If [cj] = [00] for all 1 < j < 2t, halt due to N composite. 

(c) Suppose [cj\ 7^ [00] for some 1 < i < 2t. 
Compute [q] 2 for < k < e — 2. 

(d) If [a] 2k / [0] for all < k < e - 2, halt due to N composite. 

(e) Suppose [q] 2 = [0] for some < k$ < e — 2. 
Compute [a] = [i] 2 ot . 

11. 3. Compute a: 

(a) Compute a = a(b - 1)(6+ 1) _1 (mod N). 

(b) If a 2 ^ {3 (mod N), halt due to N composite. 
Otherwise, return a. 
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Proposition 3.4. Alaorithm \3.3\ is correct. 

Proof. Step II. 1 checks two easy cases. Step II. 1. (a) checks whether the 
inverse of b + 1 (mod N) exists. Let d = gcd(6 + 1,N). We have d ^ N 
since b 2 = — 1 (mod N). If d 7^ 1, then d is a non-trivial factor of iV. In 
Step Il.l.(b), if j is a square root of /3 modulo N for some 1 < j ' < 2t, we 
are done. 

Step II. 2 is similar to Algorithm 12.21 If iV is a prime, both of them 
compute an order 4 element: Algorithm 12.21 computes a square root of — 1 
(mod N), an order 4 element in F^, while an order 4 element [a] in G a 
is computed in Step II. 2. Note that G a is isomorphic to Fjy as shown in 
Proposition 13.11 The identity and the order 2 element in G a are [oo] and 
[0], respectively. 

Suppose N is a prime. Denote the 2t-torsion subgroup of G a by H a . The 
size of H a is 2t since G a is cyclic. If [cj] = [j] 2t = [oo] for all 1 < j < 2£, all 
the 2i + l elements in the set {[oo] , [0] , [1] , • • • , [2t — 1]} have order dividing 
2t in G a , which leads to a contradiction. Suppose [cj] 7^ [00] for some 
1 < * < 2t. In Step II.2.(d), if [c,] 2 "' / [0] for all < k < e - 2, then 
[i] 2 1 ^ [0], which implies [i]' Ga ' 7^ [00], a contradiction. Therefore, if the 
algorithm halts at Step II. 2. (b) or Step II.2.(d), then is composite. The 
order of the element [a] G G a computed in Step II. 2. (e) is exactly 4 since 
[a] 2 = [0] 7^ [00] and [a] 4 = [00]. In the only order 4 elements are ±6. 
By Proposition 13. 11 we have V'G' 2 ]) — (mod N). In Step II. 3, the integer 
a = a{b — l)(b + 1) _1 (mod A r ) is a square root of j3 by the construction of 
G a . If a 2 ^ /3 (mod A r ), it means that is a composite number. 

The Proposition follows. □ 

Proposition 3.5. Alaorithm \3.3\ runs in 

6{(t log t + log N) log N) 

bit operations. 

Proof. All the powers [x] y are computed by Algorithm 13 . 21 and the successive 
squaring method, which take 0(logy log N) bit operations. 

Step II. 1 takes 0(i log N) bit operations. In Step II. 2, the running time 
of parts (a) and (b) together is 0(t log t log N), parts (c) and (d) together 
take O(elogN) = 0(log 2 N) bit operations, and part (e) takes 0(log 2 N) 
bit operations. Therefore, Step II. 2 takes 0((t log t + log N) log N) bit op- 
erations in total. Step II. 3 only takes C^logA^) bit operations. 

The Proposition follows. □ 
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Finally, we show the following propositions. 
Proposition 3.6. Alaorithm \2.1\ is correct. 

Proof. If either Step I or Step II in Algorithm O returns COMPOSITE, 
the input N must be COMPOSITE by Algorithm O and Algorithm E31 
respectively. Note that if N is a prime, the integer a^-i in Step II is a 
quadratic residue modulo N for all 3 < j < e. 

Otherwise, Step III returns PRIME. In this case, N is indeed a prime by 
Theorem 11.11 with a = a e , where a e is computed in Step II. 

The Proposition follows. □ 

Proposition 3.7. Alaorithm \2.1\ runs in 

d{(tlogt + logN)log 2 N) 

bit operations. 

Proof. Step I takes 0((tlogt + log N) log N) bit operations by Algorithm 
I2T21 By Algorithm Step II takes 0(e(t log t+ log N) log N) = 6((t log t+ 
log N) log 2 N) bit operations. Step III can be done in O(logiV) bit opera- 
tions. The Proposition follows. □ 



4 Randomization 

Algorithm 12.11 first tries computing a2 = \f— T (mod N), and then it re- 
peatedly takes square roots to obtain a^, 04, • • • , a e such that aj = y/aJZl 
(mod N) for 3 < j < e. If is a prime, all the computations success 
and it ends up with a e , a quadratic nonresidue modulo N. It totally takes 
e — 1 = 0(log N) square roots, which dominates the running time of the 
entire algorithm. In this section, we improve Algorithm 12.11 by repeatedly 
taking square roots on a randomly chosen integer, instead of the fixed in- 
teger — 1. We first randomly choose an integer o. Then, we compute y/a 
(mod N), \J \J~a (mod N) and so on. If A is a prime, this process ends up 
with a quadratic nonresidue modulo N. 

For prime N = 2 e i+l, the multiplicative group being cyclic tells that 
most of elements in ¥^ have order with large 2-part. Only a few number 
of square root computations are required in order to obtain a quadratic 
nonresidue from these elements. In fact, there are half of the total number 
of elements in are quadratic nonresidues modulo N. The order of a 
quadratic nonresidue is divisible by 2 e . In general, for 1 < k < e, there are 
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exactly 2 k ~ 1 t elements having order divisible by 2 k but not 2 k+1 . Only e — k 
square root computations are required for obtaining a quadratic nonresidue 
from these 2 k ~ 1 t elements. The randomized algorithm is presented below. 

Algorithm 4.1 (Randomized Deterministic Primality Proving). The input 
is N > 3, a Proth number defined in M.l\) . This algorithm returns PRIME 
if N is a prime. Otherwise, it returns COMPOSITE. 

(i) Find such that the order b^ (mod N) is 2 k for k > 2 as below: 

(a) Randomly choose an integer 1 < a < N — 1 
until a 2t jk 1 (mod N). 

If there are 2t — 1 distinct integers 1 < a < N — 1 
such that a 2t = 1 (mod N), return COMPOSITE. 

(b) Compute ao = a* (mod N). 

If af jk 1 (mod N), return COMPOSITE. 

(c) Find the least k > 2 such that <Zg = 1 (mod N). 
If af' 1 -1 (mod TV), return COMPOSITE. 

(d) Set b 2 = af~ 2 (mod iV). 
Set bk = cio- 

(ii) For each (A; + 1 < j < e) { 

Try computing bj = ^Jbj_\ (mod N) by Algorithm 13.31 
If Algorithm 13.31 halts due to iV composite, 
return COMPOSITE. 

} 

(iii) Return PRIME. 

Proposition 4.2. Algorithm ^. 1\ is correct. 

Proof. In Step (i)(a), we randomly choose an integer a from the open interval 
(1,N — 1) without replacement until a 2t ^ 1 (mod N). If there are 2t — 1 
distinct integers ain(l,iV — 1) such that a 2t = 1 (mod N), then these 2t — 1 
distinct integers together with 1 and iV — 1 are totally 2t + l distinct integers 
with order modulo iV dividing 2t. Therefore, iV is composite. In Step 
(i)(b), if Oq = a^ -1 ^ 1 (mod N), then N is composite by Fermat's Little 
Theorem. In Step (i)(c), the least positive integer k with Oq = 1 (mod N) 
exists since Oq° = 1 (mod N). We also have k > 2 because a 2t ^ 1 (mod N) 
by Step (i)(a). If Oq ^ — 1 (mod N), then gcd(a,Q — 1,A^) is a non- 
trivial factor of N, and so iV is composite. If Step (i)(a), (i)(b) and (i)(c) do 
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not return COMPOSITE, we end up in Step (i)(d) that 62 = a 2 , = ±\/^T 
(mod N) and b^ = a$ with 6? = — 1 (mod A). Note that 62 is required 
as an input of Algorithm 13.31 used in Step (ii) . We will show that the value 
of k is large with high probability later in the section. 

Step (ii) and (iii) are similar to the Step II and III in Algorithm 12.11 
except that Step (ii) begins taking square roots with b^. If Algorithm 13.31 
does not halt due to A composite, the invariant bj 3 = — 1 (mod A) is 
maintained in the loop for k < j < e. If b e is obtained, A is a prime by 
Theorem 11.11 with a = b e . 

The Proposition follows. □ 

Proposition 4.3. The expected running time and the worst case running 
time of Algorithm \4-l] are 

0((t log t + log A) log A) 

and 

0((tlogt + logA) log 2 A) 
bit operations, respectively. 

Proof. Step (i)(a) requires 0(tlogilog A) bit operations. Steps (i)(b), (i)(c) 
and (i)(d) together take 0(log 2 A) bit operations. The running time of Step 
(ii) is 0{m{t log t + log A) log A) bit operations, where m is an upper bound 
of the number of iterations in the loop. Step (iii) can be done in 0(log A) 
bit operations. The entire algorithm is dominated by Step (ii). The total 
running time is 0(m(t log t + log A) log A) bit operations. 

The value of m depends on the integer a chosen in Step (i) (a) . It is easy 
to see that the worst case is m = 0(log A). We will show that the expected 
value of m is less than 1 in Lemma 14.51 The Proposition follows. □ 

Let V2(x) be the 2-adic valuation function. For positive integer x = 2 r s 
with s odd, we have V2{x) = r, which is the exponent of the 2-part of x. 
Let ordp(a) be the order of a (mod p) for prime p and a ^ (mod p). We 
show in Lemma [4.41 b elow that the expected value of V2{oxd p a) for a random 
integer a is bounded below by V2(p — 1) — 1. 

Lemma 4.4. Let p = 2 e V + 1 be an odd prime for some odd t' and e' > 1. 

Let a be an integer randomly chosen from the open interval (l,p — 1) such 
that a 2d ^ 1 (mod p) for some positive divisor d oft'. Then the expected 
value 

E(v2(oTo\ p a)) > e — 1. 
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Proof. By counting the number of integers a G (l,p—l) such that ^(ordp a) = 
i for i = 0, 1, • • ■ , e', we have 



^ w 2 (ord p a) = • (i' - d) + 1 • (t' - d) + ^ i • 2 i_1 t 

(e'-l)(p-l) + i'-d. 



l<a<p-l i=2 
a 2d ^l (mod p) 



Then, the expected value is 

, 2d(e r -l)+f -d 
E(v 2 (oTd p a)) = e'-l+ V - _ j ; _ 

> e'-l. 

The Lemma follows. □ 
Lemma 4.5. 

£7(m) < 1. 

Proof. Suppose TV is a prime. Recall that a is a randomly chosen integer in 
Step (i)(a) such that a 2t ^ 1 (mod N) and k = ^(ordjva). By Lemma [4~4l 
with d = t, we have -E(fc) = ^(^(ord^v a)) > e — 1. Therefore, 

#(m) = S(e - fe) < 1. 

Suppose N is composite. Let p be a prime divisor of N such that v^ip— 1) 
is the minimum among all the prime divisors of N. Write p = 2 e t' + 1. 
Clearly, we have e' < e. If the algorithm does not discover N composite 
in Step (i), the maximum number of iterations is bounded above by e' , 
i.e. m < e' . Let a be the integer chosen in Step (i)(a). If p divides a, 
then Step (i)(b) will return COMPOSITE since af = a 2H ^ 1 (mod N) . 
Suppose p does not divide a. By Lemma 03] with d = gcd(i, t'), we have 
E(v2(oid p a)) > e' — 1. Finally, 

£(m) < E(e' - v 2 {ord p a)) < 1. 

The Lemma follows. □ 

Proof of Theorem It follows from Proposition 14.21 and 14.31 □ 
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